From a8bde144b348c9e4fe2382dc8367a58b37c25718 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 13 Nov 2023 23:55:22 +0100
Subject: [PATCH] Check on every deploy ssh connection if we are on the right
 machine

---
 modules/microvm.nix |  1 +
 packages.nix        | 24 ++++++++++++++++--------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/modules/microvm.nix b/modules/microvm.nix
index a05166fd..459996ac 100644
--- a/modules/microvm.nix
+++ b/modules/microvm.nix
@@ -157,6 +157,7 @@ in
       '';
 
       runOnServer = pkgs.writeShellScript "run-on-${server}" ''
+        # we cannot execute any other commands here because it grabs away $@
         ssh root@${serverFQDN} -- $@
       '';
     };
diff --git a/packages.nix b/packages.nix
index 7b0ea267..2406676a 100644
--- a/packages.nix
+++ b/packages.nix
@@ -115,9 +115,9 @@ lib.attrsets.mapAttrs
             exit 2
           ''}
 
-          if [[ $(ssh ${target} cat /etc/hostname) != ${name} ]]; then
-            echo "hostname of the target machine does not match, please manually investigate!"
-            echo "  $(ssh ${target} cat /etc/hostname) != ${name}"
+          hostname="$(ssh ${target} cat /etc/hostname)"
+          if [[ "$hostname" != ${name} ]]; then
+            echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
             exit 2
           fi
           nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}
@@ -125,7 +125,9 @@ lib.attrsets.mapAttrs
 
           # use nixos-rebuild from target config
           ssh ${target} bash -e <<END
-          nix build ${toplevelDrvPath}
+          set -eou pipefail
+          set -x
+          nix build --no-link ${toplevelDrvPath}
           ${discardStringCtx hostConfig.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set ${toplevelOutPath}
           ${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
           END
@@ -161,7 +163,13 @@ lib.attrsets.mapAttrs
         "${name}-nixos-rebuild-local" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
           set -eou pipefail
 
-          [[ ''${1:-} == build || $(ssh ${target} cat /etc/hostname) == ${name} ]]
+          if [[ ''${1:-} == build; then
+            hostname=$(ssh root@${target} cat /etc/hostname)"
+            if [[ "$hostname" != ${name} ]]; then
+              echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
+              exit 2
+            fi
+          fi
           # don't re-execute, otherwise we run the targetPlatform locally
           _NIXOS_REBUILD_REEXEC=1 ${lib.getExe pkgs.nixos-rebuild} ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
         '';
@@ -219,9 +227,9 @@ lib.attrsets.mapAttrs
               ssh ${target} bash -e <<END
               set -eou pipefail
 
-              if [[ \$(cat /etc/hostname) != ${name} ]]; then
-                echo "hostname of the target machine does not match, please manually investigate!"
-                echo "  $(cat /etc/hostname) != ${name}"
+              hostname=\$(cat /etc/hostname)
+              if [[ "\$hostname" != ${name} ]]; then
+                echo "hostname of ${target} was expected to be ${name} but is \$hostname. Aborting to be safe..."
                 exit 2
               fi
               ${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"